June 6, 2012

Internet search giant Google on Tuesday introduced a new alert system that will warn users who are logged into their Google account when it thinks they may be the target of a state-sponsored cyber attack.

Eric Grosse, Google´s VP of security engineering, said in a recent blog post that an alert will be displayed at the top of the user´s Gmail page after logging in and when there is evidence of a suspected state-sponsored attack. He said that such attacks could take the form of malicious software or a “phishing” scam through email, tricking users to give out their user name and password.

We are continually on the hunt for any malicious activity on our systems, Grosse said. And when Google detects an issue, a clear warning sign is shown and extra attention is given to thwart the attacker, he added.

Despite the announcement, Grosse was reserved in revealing how Google knows when someone is being targeted by state-sponsored attacks. “You might ask how we know this activity is state-sponsored,” he said. “We can´t go into the details without giving away information that would be helpful to these bad actors.”

If a suspected attack is happening or Google detects possible foul play, the warning sign pops up and reads: “We believe state-sponsored attackers may be attempting to compromise your account or computer.” The message will not be limited to those using Google Chrome, but will pop up in any browser.

Grosse was quick to point out that the warning “does not necessarily mean that your account has been hijacked. It just means that we believe you may be a target, of phishing or malware for example, and that you should take immediate steps to secure your account.”

Google has been fighting cyber crime viciously since it was one of several companies targeted by Chinese hackers more than two years ago, an attack that led the search company to relocate its search servers. Since then, it has thwarted several large-scale phishing and hacking scams directed at Gmail users.

And, just a few weeks ago, Google placed a similar alert on its pages, warning Windows PC and Mac users that remained infected with DNSChanger malware. Those users could lose their Internet on July 9, when authorities switch off substitute domain name system (DNS) servers that took the place of criminal-controlled machines shut down last year.

The company´s latest announcement could stem from the discovery last week of a sophisticated espionage tool, which security researchers at Google called “Flame.” Flame pilfered vast amounts of data from Middle Eastern computers, most located in Iran and Palestine. Some experts believe Flame is state-sponsored because of its size and complexity.

While the latest alert is new pertaining to state-sponsored attacks, security alerts on Google are not. Google has been notifying Gmail users since March 2010 when it suspects account hacking attempts. Google triggers that alert in part on the Internet Protocol (IP) address of each successful log-on.

The state-sponsored attack alert includes a link to Google´s Help website, where it hints on why an alert was issued and how users can protect their account.

“We believe it is our duty to be proactive in notifying users about attacks or potential attacks so that they can take action to protect their information,” Grosse wrote. “And we will continue to update these notifications based on the latest information.”

If you believe you are the victim of an attack, or could be a victim, there are a few things you can do immediately to help protect yourself. First, you should create a new unique password that has a good mix of capital and lowercase letters, numbers, and punctuation marks; second, you should enable 2-step verification for additional security; and lastly, update your browser, operating system, plug-ins, and document editors as an added measure.

Google also made it clear on its help page that the alert doesn´t mean that Google´s internal systems are compromised and that the warning message “does not refer to one specific campaign.”

Grosse noted that the company routinely receives abuse reports from users, as well as from “internal systems that monitor for suspicious login attempts and other activity.”